Revision as of 11:26, 16 November 2011

XSS Prevention Overview

Data Type	Context	Code Sample	Defense
String	HTML Body	<span>UNTRUSTED DATA</span>	HTML Entity Encoding
String	"safe" HTML Attributes	<input type="text" name="fname" value="UNTRUSTED DATA">	Aggressive HTML Entity Encoding Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped) Only place untrusted data into a whitelist of safe attributes Strictly validate unsafe attributes such as background, id and name.
String	GET Parameter	<a href="/site/search?value=UNTRUSTED DATA">clickme</a>	URL Encoding
String	Untrusted URL rendered in an HREF tag (or other HTML link context)	<a href="UNTRUSTED DATA">clickme</a> <iframe src="UNTRUSTED DATA" />	Cannonicalize input URL Validation Safe URL verification Whitelist http and https URL's only Attribute encoder
String	CSS	<div style="width: UNTRUSTED DATA;">Selection</div>	Strict structural validation CSS Hex encoding good design of CSS Features
String	JavaScript	<script>var currentValue='UNTRUSTED DATA';</script>	Ensure JavaScript variables are quoted JavaScript Hex Encoding JavaScript Unicode Encoding Avoid backslash encoding (\" or \' or \\)
String	HTML Comment	<!-- UNTRUSTED DATA-->	TODO
String	JavaScript Comment	/* UNTRUSTED DATA */	TODO
HTML Text	HTML Body	<span>UNTRUSTED HTML</span>	HTML Validation (JSoup, AntiSamy, HTML Sanitizer)
String	DOM XSS	TODO	DOM based XSS Prevention Cheat Sheet
String	AJAX/JSON Parsing	TODO	Use JSON.parse or json2.js library to parse JSON Avoid parsing JSON with eval()
String	AJAX/XML Parsing	TODO	TODO

@@ Line 1: / Line 1: @@
-= DRAFT CHEAT SHEET - WORK IN PROGRESS =
-= Introduction =
-Cross site scripting is the most common web vulnerability.  It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser.  More details about XSS can be found here:  [https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29]
 = XSS Prevention Overview =
@@ Line 19: / Line 14: @@
 |-
 | String
-| "safe" HTML Attributes<br/><br/>align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
+| "safe" HTML Attributes
 | &lt;input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
 | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Avoid placing untrusted data in an ID attribute (it can influence the DOM even when escaped)</li><li>Only place untrusted data into a whitelist of safe attributes</li><li>Strictly validate unsafe attributes such as background, id and name.</ul>
@@ Line 73: / Line 68: @@
 | TODO
 |}
-= Output Encoding Types =
-{| class="wikitable"
-|-
-! Encoding Type
-! Encoding Mechanism
-|-
-| HTML Entity Encoding
-|   & --> &amp;amp;<br/>< --> &amp;lt;<br/>> --> &amp;gt;<br/>" --> &amp;quot;<br/>' --> &amp;#x27;     &apos; is not recommended<br/>/ --> &amp;#x2F;     forward slash is included as it helps end an HTML entity
-|-
-| HTML Attribute Encoding
-| TODO
-|-
-| URL Encoding
-| TODO
-|-
-| JavaScript HEX Encoding
-| TODO
-|-
-| CSS Hex Encoding
-| TODO
-|}
-= Related Articles =
-{{Cheatsheet_Navigation}}
-= Authors and Primary Editors  =
-Jim Manico - jim [at] owasp.org<br/>
-Jeff Williams - jeff [at] aspectsecurity.com
-[[Category:Cheatsheets]]

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

Revision as of 11:26, 16 November 2011

XSS Prevention Overview

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools